Nope. At least, I don't.
Their knowledge base articles are pretty much 'starter level' info pages.
I've never found any more specific info than what's posted above (their forum doesn't provide more in-depth info either).
I'd contact dev Fabian Wosar (fw at emsisoft.com) for deeper info on Mamutu, not sure what they are willing to provide though.

Nope. At least, I don't.
Their knowledge base articles are pretty much 'starter level' info pages.
I've never found any more specific info than what's posted above (their forum doesn't provide more in-depth info either).
I'd contact dev Fabian Wosar (fw at emsisoft.com) for deeper info on Mamutu, not sure what they are willing to provide though.

Click to expand...

I don't really think they would provide the rule sets or heuristics they use, that could compromise the product i guess and as a business that is bad

Something like Mamutu could easily be reverse engineered in terms of behavioral blocking attributed to kernel calls - whitehats/ security companies do this all of the time to malware or AVs even. Heuristics rules can often be reverse engineered as well (just test different things that might break rules) though scoring based on those rules is much more complex.

You can't tell the entire program but if you know "This call infects the computer" and "This program stops infections" it's easy to say "It's probably that call."

I'll try contacting a dev, thanks. IDK why they won't even give a simple explanation - I don't necessarily need something as low as the API but it would be nice to know what "spyware behavior" actually entails.

Yeah, I tried finding some more detailed info on them as well, but couldn't find it. I do know that behaviors from that list are more a combination of action/behaviors, for example, for the Keylogger behavior warning to appear, an executable needs not only to log keystrokes, but also connect to the internet.

I don't necessarily need something as low as the API but it would be nice to know what "spyware behavior" actually entails.

Click to expand...

Briefly, "spyware behavior" entails the behavior of an component, not the specific sequence of bytes in that
components binary representation.

An example of "spyware behavior" would be an component, and/or unknown component, monitoring user behavior and/or
interacting with another component, such as an Web Browser, monitoring that components behavior and/or the users
interactions with that component, then/or petitioning calls to the Windows Application Programming Interface (API) that
can potentially leak information about that behavior, such as petitioning calls to save the data to an file and/or
transmit that information to an Remote Host.

I'd like to see them if you have them. The code is less important - if I can see what the behaviors are specifically I can figure out the code.

Click to expand...

There is definitely one free paper available on this but I don't remember its name; I don't recall if it is specific enough to be useful to you. Maybe check the references in paper "Behavior abstraction in Malware analysis" or do this Google search "high level" malware behavior filetypedf or maybe malware behavior filetypedf.

I've used Mamutu for almost 2 years because it was recommended here and because of the reputation of the company behind it, Emsisoft. I've looked for more information about the program and for testing, without much luck. If you find anything Hungry Man I'd be interested in reading about it.